Jump to: navigation, search

Reporting Server TLS 1.2 Support

SUMMARY: Add TLS 1.2 Support information to the user guide.

DOCUMENT: The next publication of the GVP 8.5 User's Guide will include these revisions.

CHAPTER: Chapter 14: Configuring the Reporting Server

SECTION: Reporting Server TLS 1.2 Support

Add a new section title "Reporting Server TLS 1.2 Support", and add the following information to the section:

TLS 1.2 MS SQL Server

Support of TLS 1.2 Connection between RS and RS Database (MS SQL Server) is validated for VP Reporting Server. The purpose of this section is to describe a simple configuration and environment setup.

The overall objective for supporting TLS 1.2 Connection for Reporting Server and Reporting Server database (MS SQL Server).

Prerequisite information for RS – RS DB (SQL Server) TLS 1.2 Connection Support
  • Install and enable MS SQL Server to support TLS 1.2 version.
  • SQL Server's SSL certificate authority's certificate (CA certificate of SQLServer).
  • Use JRE 1.8 to have TLS 1.2 enabled by default.
Reporting Server Connecting SQL Server with TLS Encryption

The examples in this topic describe how to use “connection string” properties that allow Reporting Server application to use Secure Sockets Layer (SSL/TLS) encryption with SQLServer. For more information about these new connection string properties such as encrypt, trustServerCertificate, trustStore, trustStorePassword, and hostNameInCertificate refer SQLServer document.

When the encrypt property is set to true and the trustServerCertificate property is set to true, the Microsoft JDBC Driver for SQL Server will not validate the SQL Server SSL certificate. This is usually required for allowing connections in test environments, such as where the SQL Server instance has only a self signed certificate.

The following example demonstrates how to set the trustServerCertificate property in a connection string:

hibernate.remote.url = jdbc:sqlserver://172.24.134.87:1433;sslProtocol=TLS;encrypt=true;trustServerCertificate=true;

When the encrypt property is set to true and the trustServerCertificate property is set to false, the Microsoft JDBC Driver for SQL Server will validate the SQL Server SSL certificate. Validating the server certificate is a part of the SSL handshake and ensures that the server is the correct server to connect to. To validate the server certificate, the trust material must be supplied at connection time either by using trustStore and trustStorePassword connection properties explicitly, or by using the underlying Java Virtual Machine (JVM)'s default trust store implicitly.

The trustStore property specifies the path (including filename) to the certificate trustStore file, which contains the list of certificates that the client trusts. The trustStorePassword property specifies the password for the trustStore.

The following example demonstrates how to set the trustStore and trustStorePassword properties in a connection string:

hibernate.remote.url = jdbc:sqlserver://172.24.134.87:1433;sslProtocol=TLS;encrypt=true;trustServerCertificate=false;trustStore=/opt/genesys/gvp/VP_Reporting_Server_8.5/Certificates/cert_authority.jks;trustStorePassword=changeit

The JDBC Driver provides an additional property, hostNameInCertificate, which specifies the host name of the server. The value of this property must match the subject property of the certificate.

The following example demonstrates how to use the hostNameInCertificate property in a connection string:

hibernate.remote.url = jdbc:sqlserver://172.24.134.87:1433;sslProtocol=TLS;encrypt=true;trustServerCertificate=false;trustStore=/opt/genesys/gvp/VP_Reporting_Server_8.5/Certificates/cert_authority.jks;trustStorePassword=changeit;hostNameInCertificate=GEN-C7-87

If the encrypt property is set to true and the trustServerCertificate property is set to false and if the server name in the connection string does not match the server name in the SQL Server SSL certificate, the following error will be issued: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.

Importing the Server Certificate to Client (Reporting Server) Trust Store

During the SSL handshake, the server sends its certificate to the client. The issuer of a certificate is known as a Certificate Authority (CA). The client must ensure that the certificate authority is one that the client trusts. Normally, the JVM ships with a predefined set of trusted certificate authorities.

If the instance of SQL Server's SSL certificate is issued by a private certificate authority, you must add the certificate authority's certificate to the list of trusted certificates in the client computer's trust store.

To do that, use the JAVA "keytool" utility that is installed with the JRE (Java Runtime Environment). The following command demonstrates how to use the "keytool" utility to import a certificate from a file:

Create a Certificates directory on RS installed location and then execute the following queries:

Windows:

keytool -importcert -alias <ca-alias-name> -keystore <keystore-filename-withpath > -storepass <keystore-password> -file <ca-cert-filename>

keytool -importcert -alias startcassl -keystore C:\Program Files\GCTI\gvp\VP Reporting Server 8.5\VP_ReportingServer_851\Certificates\cert_authority.jks -storepass changeit -file cert_authority.crt

Important
GEN-C7-87 is a SQL Server Host Name.

More details on Client connection to SQL Server are available at Microsoft JDBC Driver for SQL Server.

TLS 1.2 Support (Oracle)

Support of TLS 1.2 Connection between RS and RS Database (Oracle) is validated for VP Reporting Server. The purpose of this section is to describe a simple configuration and environment setup.

The overall objective is to support TLS 1.2 Connection for Reporting Server and Reporting Server database (Oracle).

Prerequisite information for RS – RS DB (Oracle) TLS 1.2 Connection Support

  • Install and enable Oracle to support TLS 1.2 version.
  • Oracle SSL certificate authority's certificate (CA certificate of Oracle).
  • Use JRE 1.8 to have TLS 1.2 enabled.

Reporting Server Connecting Oracle with TLS Encryption

Set the following system properties and use the below connection string in "hibernate.remote.url" for connecting with Oracle in TLS 1.2:

  • javax.net.ssl.trustStore
  • javax.net.ssl.trustStoreType
  • javax.net.ssl.trustStorePassword

hibernate.remote.url = jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))

Reporting Server TLS 1.2 Support for HTTPS

Refer to the "Enabling HTTPS for Reporting" section of the GVP 8.5 User's Guide.

Reporting Server TLS 1.2 Support for Configuration Server and Message Server

RS supports TLS connection to Configuration Server and Message Server through secure ports exposed by the Configuration Server.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on July 10, 2018, at 23:40.